Rule Library
Sigma Rules
51 rules found for "attack.T1053.005"
3,707Total
3,116Detection
451Emerging
137Hunting
Threat Huntlowtest
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious.
WindowsImage Load (DLL)
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1053.005 · Scheduled Task+1
Swachchhanda Shrawan PoudelMon Sep 02windows
Threat Huntmediumtest
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
WindowsProcess Creation
TA0002 · ExecutionTA0003 · PersistenceTA0004 · Privilege EscalationT1053.005 · Scheduled Task+1
Florian Roth (Nextron Systems)Wed Feb 23windows
Threat Huntlowtest
Scheduled Task Created - Registry
Detects the creation of a scheduled task via Registry keys.
WindowsRegistry Event
TA0002 · ExecutionTA0003 · PersistenceTA0004 · Privilege EscalationS0111 · schtasks+3
Center for Threat Informed Defense (CTID) Summiting the Pyramid TeamWed Sep 27windows